Is risk rating at account opening required or can it be reviewed after a specified timeframe?

There is no regulation which requires an account be risk rated at account opening. Depending on how you actually risk rate clients, manual or through an automated system, it may be subsequent to the completion of the client acceptance process or at some reasonable point down the road.

But if you do not risk rate them at opening with your CDD, you cannot determine if EDD is needed as well. The EDD could change your decision about opening the account.

Some banks default to a "higher" risk rating at account inception and set their actual risk rating based on activity after 60 - 90 days. The new due diligence regulation is bound to change some philosophies...

You're right that it's not a specific regulatory requirement to risk rate every customer at account opening. But you better have a strong enough CDD program to identify the truly high risk customers right off the bat, especially if you're 1 billion+. Otherwise, you could easily find out how much examiners like to shoehorn best practices into regulatory violations using the "internal control" pillar.